Just so we're clear, I'm only speaking as myself today.
I am not a representative of the U.S. government.
I am not a representative of my current employer.
I'm pretty sure neither one of them would be really happy with me up here talking,
but I feel it's part of my duty as part of this community
to kind of give you some stories that are personal stories from this community
as what I took into the government, what I learned while I was in the government,
what I saw that was a little bizarre while I was in the government,
and what I'm taking back out of it.
And there are four stories I'm going to tell you
that all have some kind of unexpected outcomes and unexpected twists.
You've probably heard about some of these stories in the media,
but these are kind of different back origins to them that you haven't heard before.
I'll do my best to be as accurate as possible,
but I'm going to start with the first one.
I'm going from memory from some of these, and some of these go back several years.
Memory is imperfect, so I apologize in advance.
So I'm not trying to piss off or be pro or con any particular community,
but I want understandings, which is why I'm trying to tell these kind of non-obvious stories.
Somebody had tweeted me something encouraging me to do this talk,
saying anything we can do to help people understand,
and each other is good, because, of course, prejudice is bred from ignorance and exclusion,
so you can kind of consider this my transparency-slash-trip report
from three years inside the DOD.
Not long after I started working at DARPA,
I got funding approval for the first of one of many programs that I would actually run.
I know most folks are only familiar with a few of them.
The first program was something called Cinder.
And it was focused on super-evolved advanced persistent threat.
The program had nothing to do with whistleblowers,
had nothing to do with humans.
It was targeting autonomous software.
There was an author at Forbes magazine, Andy Greenberg,
who found out that Julian Assange and I knew each other
and have kind of known each other for, I don't know, probably 20-plus years.
And he wrote an article that, the way I read the article,
attempted to pit me and Julian again.
We had a conversation, and we were talking to each other,
claiming that Cinder was a response to Wikileaks.
You know, a sexy story of hacker friends, you know, who now find themselves at odds,
one trying to spill the government secrets,
one trying to protect the government secrets.
Yeah, it's a sexy story.
The problem is it's entirely untrue because Cinder had nothing to do with that.
So since he and other folks wanted to kind of make a story about me and Julian
where there was no story before,
I figured I'd tell you an actual story about me and Julian.
And this first story is called how the DOD unintentionally created WikiLeaks.
So it was 2009.
I had yet to go into DARPA.
I was over in Germany for the CCC Congress, which, by the way, is awesome.
And by the way, Berlin is freezing in December.
So it's a couple blocks from the hotel over to the Congress.
And I braved it across.
It takes about like 10, 15 minutes before your lips come back and you can actually start
to form words again.
So there was this talk that I wanted to see at the Congress.
And I watched it.
It was great.
There was a gap between the next talk that I wanted to see and the whole decision was
do I go back to the hotel and go out in the frigid Berlin, you know, winter, or do I find
something else to kind of pass the time?
It's CCC.
It's easy to find things to pass the time there.
And there was a talk that was going on.
It was going on about Wikileaks.
Remember, 2009.
No State Department cables, no nothing like that at this point.
Wikileaks had been around, but it wasn't kind of in the popular vernacular.
It wasn't a household name.
So I look at it and go, oh, what it's taking to run Wikileaks, you know, how we do it behind
the scenes operationally.
I'm like, that's cool.
And it talks in English and it's inside, so yay.
And I'm looking at it and I'm like Julian Assange, Julian Assange, you know.
And the name was ringing a bell, but it didn't mean anything again because, of course, you
know, I hadn't hit it.
So I saw him up on stage and, you know, he's a kind of striking physical, the kind of shocking
blond white hair, you know, sharply dressed, and I'm recognizing the voice.
And it took almost the entire talk before it dawned on me that I knew him by a different
name.
I knew him as Prof.
Some of you remember Prof.
Some of you remember Strobe that he wrote like ages ago.
You know, he was over at suburbia.net, I think, Profitsuburbia.net.
And I was like, holy crap, this is the same guy who I've known, you know, for years.
I hadn't seen him in like a decade or I hadn't interacted with him online.
At one point I think he was even managing Sun's security updates and patches for all
of the distributions for SunOS at sunsite.unc.edu.
So we should have nominated that for, you know, possible or potential, you know, epic
ownage.
That's kind of cool if you think about that.
So after the talk I was all excited and, you know, I went up to him, waited until the crowds
kind of died, smaller crowds outside.
He's having a cigarette.
And I said, oh, this is going to be fun because I had cut my hair, you know, I didn't have
the ‑‑ if you've seen the shirts, most people remember me looking slightly different.
And, of course, I'm like, oh, I'm going to play with this a little bit.
So I walk up to him.
I know he doesn't know my voice.
And, of course, he's not going to physically recognize me.
So I do that whole hacker jerk sort of, you know, say something that, you know, it's like,
what the hell?
How did they know that?
Kind of just set up a state of detente.
And I go, hey.
When's the last time you saw me?
When's the last time somebody called you prof?
He looks at me weird and I'm like, oh, if you think that's weird.
Did they ever find out why the MD5 checksums on those Solaris update patches didn't match
the actual patches that people installed?
That was SunSight, right?
And he's just looking at me like, who the heck is this guy?
And probably, possibly because he hadn't, you know, heard the phrase prof for a while.
And it could very well be that, you know, he had no clue what I was talking about with
the latter one.
And I go, hey, you know, it's me.
It's Mudge.
It's all sort of thing.
And he kind of relaxed and, you know, we chuckled about it.
And I was saying, hey, you know, you were really, really passionate up on stage about,
you know, WikiLeaks.
What was the real impetus?
What was the turning point that made you do that?
Because the last I had seen you, you were leaving the hack scene, going off to academia
to do your advanced degree.
He was working on a cryptographically based file system.
A rubber-hose file system for duress-based decrypting.
And I said, you know, where did you go?
You know, all the old gang and everything haven't seen you.
So we chatted and he said, you know, let's go out and have dinner.
So we spent the next several hours over food in Berlin.
And we were chatting.
And I wanted to know just how passionate he was and how far he was willing to go on it.
So I asked him a hypothetical question.
I said.
I said, let's suppose back in the day my thing was I collected packet captures of everything.
Let's assume some of those packet captures have you going into other systems.
You know, beyond a shadow of a doubt.
If I submitted those packet captures, you know, kind of incriminating you to WikiLeaks,
would you release them?
And he looked at me and it only took a couple of seconds and he said, hey, we get some very
similar sorts of questions.
Because people ask us, you know, kind of on a parallel, if someone were to send us a list
of the contributors to WikiLeaks, would we publish it?
And the answer is that, you know, we don't want to know who our contributors are because
we want to keep the protection there, we being WikiLeaks, I'm speaking as him from
memory here.
So we tried to get in touch with the folks that contributed.
But we won't know who they are.
So ultimately in case that list is real, we would have to publish it.
I was like, oh, that's cool.
And then he just ‑‑ you know, we moved away.
We moved on to the next topic.
Now, if any of you have actually interacted with him or know somebody who has, they'll
tell you that he is a very smart person and that's absolutely right.
And it took me probably an hour to realize that he never answered my question.
But he told me a really interesting story because he told me ‑‑ and this is what
stuck with me in 2009 from that dinner ‑‑ what the turning point was.
Now, maybe this was a story just for me.
Maybe it was, you know, kind of the appropriate thing.
But I took this to be kind of ground truth and it stuck with me, which is why I'm telling
you.
And I used to tell people inside the government the same question when later WikiLeaks kind
of popped up.
He said, yeah, I had gone off.
I was over at university doing my graduate work, something essentially fundamental research,
which means something to the government folks.
And he said it was funded, you know, by the U.S. government.
It was a grant.
You know, from like NSA type DARPA sort of stuff.
Funding.
I don't know if those were the actual agencies.
And he said it was during that time period where there was a big pullback from the DOD.
And the message that the universities received was we're not funding you to do basic research
anymore.
It's all classified now.
His work got rolled up in that.
Now whether that was actually why it was being pulled back or if that was just the perceived
message, I don't know.
So if you think about it, here's a non‑U.S. citizen.
I don't know.
Who's changed ‑‑ who's made a life decision, go to graduate work, go ‑‑ you know, kind
of leave the community that we knew him in, and all of a sudden his funding gets pulled
and he's told that he's not allowed to know what it was that he was doing, not allowed
to know what it was that he had, you know, discovered, and no actual reason as to why
the funding is.
I mean, that's kind of what it's like when you're a graduate student and somebody pulls
your funding sort of thing.
And this just really, really rubbed him wrong.
And he said this is the wrong reason for this.
This is the wrong reason for classification, if that's why he lost his funding.
This is designed to keep people ignorant and withhold information to keep folks disadvantaged.
And he said it was at that point that he decided that he was going to devote his life
to exposing people who tried to keep secrets.
And hence Wikileaks was born.
So when folks in the DOD would ask me, hey, do you know this, you know, Wikileaks thing
and what are your thoughts on how we could, like, you know ‑‑
Okay.
How do we address it?
They were a little surprised with my answer going, well, you know, by some accounts the
government actually created it in the first place.
It was at that point during the night at the ‑‑ in the restaurant, Julian goes, well, so,
you know, that's what I've been doing for the past ten years, you know, what are you
up to?
I said, oh, I'm about to go work at DARPA.
So that's my first story.
Second story is about anonymous and the Department of Defense.
I remember anonymous from way back ‑‑ I mean, anonymous, I use it as, like, you know,
a proper noun, but obviously we're all familiar and it's much more ‑‑ it's kind of a
movement of thought.
You know, it's more ephemeral than that.
And when I remember them, you know, they were going after Scientology and RIAA and there
was all the force.
Sort of soap opera stuff going on.
And at some point, their scope or the target, you know, expanded to include the government.
And general wisdom was that the triggering event was the DOD's response to WikiLeaks
and Manning, et cetera.
But the way I saw it, there was actually something else that was a bit more subtle that folks
hadn't realized.
So in 2011, the DOD released the strategy for operating in cyberspace.
There was some very minor backlash to some of the wording initially.
I think there was an initial, you know, small leaked version of it that went out and it
was followed by a later one.
But there was some more specific backlash and chatter in the hacker researcher community.
The strategy stated that the DOD was going to, you know, treat cyberspace.
It's a domain to conduct operations in.
And it appeared kind of modeled off of outer space, you know, treating space as, you know,
these are DODish words, a domain.
And there were some confused conversations going, well, why is anybody upset if you treat
cyberspace as a domain?
You know, there wasn't that much upset with treating space and, you know, nobody lives
in cyberspace, which you could have kind of only hear inside the government, like a statement
like that.
You know, we all live in cyberspace.
And the hacker researcher community made cyberspace ‑‑ I'm really not a fan of that word ‑‑ made
the Internet and, you know, online, you know, our homes well before the government and
everybody else kind of made it just, you know, where they always lived and did everything
in.
So if you send a message that, you know, that's somebody's backyard and that you're going
to militarize and, you know, prep for war in somebody's backyard, that can stay.
It can sound really scary.
And it can galvanize folks to respond.
One of the problems was there was not an understanding as to who the message was actually intended
for.
So in addition to treating it as a domain, they said something else, which was, and in
response to ‑‑ and I'm paraphrasing, but in response to hacks, we'll consider responding
with kinetic force.
So if you don't actually specifically call out who the recipient of the message is, everybody
reading it thinks it's directed to them.
I read it.
I thought it was directed to me.
And I'm going, like, you know, what the heck?
You know, I joke my buddy and I replace his, you know, HTML, you know, the main web page,
you know, and that's considered a hack and all of a sudden I've got somebody launching
a Patriot missile at me?
This makes no sense.
You know, what level of hack?
Because if we look at, like, CFAA response, you know, maybe they actually think a Patriot
missile is the right thing for, you know, defacing a Web site.
I don't know.
And none of these are the right questions.
Because I'm not the intended audience.
But of course I'm reading it as if I was.
And of course the logical next question is, wait, do they understand how attribution works?
Because you know, what if ‑‑ what if I do it, you know, bouncing through an ally?
You know, what if I do it from within the U.S.?
Are they going to kinetically respond?
Respond against themselves?
I mean, this is ‑‑ and you kind of go, okay, wait, you know, back up.
If the message were directed to, let's say, you know, other countries, other, you know,
somebody in specific that's got a significant power that they say, look, we're talking about
critical infrastructure or something of that nature, if you turn off the lights in New
York, we'll probably be able to figure out who you are because you're not a small little
hacker defacing Web sites.
And maybe there's attribution in place that we can respond to.
That would have been an entirely different sort of message.
And I wouldn't have read it as the whole, like, wow, if I get root on something in
my own system, you mean, is the government going to shoot me?
Which is just silly.
But I wasn't the only person who read it that way.
And it's nice having been in this field and in the hacker researcher community for, geez,
going on almost 25 years ‑‑ well, actually, over 25 years.
Some folks were sending me, hey, have you seen what's going on in the chat rooms?
And there were some folks who were claiming affiliation or claiming support of anonymous
that were going, hey, you know, have you read this?
Look who's trying to prep for war in our backyards.
Do they even understand how attribution works?
This is bullshit.
If they think they can find me, it's on.
Let's go.
And the next thing you know, there were a couple Web sites defaced, and they ended in
.gov.
Now ‑‑
MR.
This is where it gets kind of funky.
Defacing a Web site, it's kind of a message.
It's a little warning shot.
But that's in a language that Govies don't know.
So the Govies didn't get the message as far as, you know, what I saw.
So here's the initial strategy for operating in cyberspace that goes out, probably directed
to somebody else, but by poor messaging, is misinterpreted by a group.
The group responds, fires a warning shot.
The warning shot isn't understood.
And it's like, hey, what are these vagabonds doing?
Look at the little street punks or whatever.
They're not somebody who actually has a message that we should actually engage in.
And it's just this little cascading effect.
So that's kind of unfortunately where I saw, you know, the expanding of scope and a lot
of misunderstanding.
I'm not saying the two groups should be friends.
I'm not saying one group is good and one group is bad.
But when you send a message out into the world, and this is for both groups, you really need
to make sure it's understandable by all the parties that are going to receive it.
You can't assume it's just going to be read by the person you had in mind.
With all love and respect, there's one very obvious commonality between the hacker researcher
group and the government, and it's that they can be very arrogant and expect everybody
will speak their own language and that they don't have to speak anybody else's.
I think that's a really common mistake.
So the recommendation for the government, from my vantage point of both sides, is figure
out how messages are going to be received by the more general populace of cyberspace,
because we all live there now.
This is actually a great opportunity for diplomacy.
And you can kind of think of it like the lost city of Atlantis, because cyberspace
kind of took them, I think, the world, by surprise, obviously hasn't been around that
long.
So what if Atlantis just pops back up and there was an advanced, very technically capable
group of people there?
You wouldn't sit there and ignore them.
You wouldn't taunt them.
You wouldn't attack them.
You'd probably actually try and understand them and figure out how messages are going
to be sent to somebody else might be interpreted to them.
You might even try and figure out where you guys already see things eye to eye and where
you have differences.
So my recommendations to the citizens of cyberspace is keep in mind that the government, and
in particular the DoD, has very specific focuses and goals.
And they often only see things from their own point of view, because they're really
focused on doing that job.
And when you read things that appear to be a message directed to you or your community,
coming from an unlikely source, you should question whether or not the message is
actually intended for you, or if it's just intended for somebody else and really poorly
worded.
And if you still think a response is necessary, you really need to think about the message
that you're sending to make sure that you don't make the same mistake in return.
My third story is ‑‑ well, let me give you a little background.
Okay.
So I know a lot of people approach me outside of work and go, hey, Mudge, you know what's
going on.
We're all owned.
And these were large companies that are oftentimes funded by taxpayer money.
I'll just say that there are large government contracting organizations.
And it's like, hey, why don't you, like, start a program that actually pays us to go clean
up the compromises or at least figure out what happened and how bad the damage was?
Okay.
All right.
Well, isn't that your job?
And it made me think that there's actually ‑‑ there's not a financial incentive for these
companies to actually go fix the problems.
So the next question was, is the inverse true?
Can government contractors actually make more money by remaining compromised and continuing
to lose intellectual property?
So this talk is called Game Theory is a Bitch.
Whew.
I was having dinner with ‑‑ a lot of these stories are because I'm outside having dinner
somewhere.
I don't cook.
I was having dinner with an old friend.
And his company goes in and cleans up APT after, you know, big well‑known names get
compromised in particular whether they're government contractors or commercial organizations.
And he posed a really interesting hypothetical because we were just shooting the crap back
and forth.
He said, hey, what do you think about the following chain of events?
First, RSA gets compromised.
Networks defended by their tools are vulnerable and as a result, a defense contractor gets
compromised.
Said defense contractor, if you look up on Wikipedia, is the one who made this really
cool stealth drone.
Later, a really cool stealth drone goes missing over in a, you know, Middle Eastern state.
Like, what do you think about that chain of events?
I'm like, that's terrifying.
And he's like, yeah.
And I'm like, no, no, for an entirely different reason.
Look at it this way.
I have no clue.
That's a hypothetical.
And there were a whole bunch of rumors about what had happened.
But let's assume that you, as a country or a large organization, that your advantage
is technology.
You can field the fastest and the best technology.
So you're ahead of everybody.
That's your advantage.
Okay.
Newest, most advanced toys.
Someone else steals some of your tech.
What do you have to do?
You've got to replace it with newer tech, right?
You've got to keep your advantage.
So suppose a government contractor gets some of their super tech toll, and what does their
government customer actually need to do?
Well, the government in that case, and this is all game theory hypothetical, need to
pay someone to make the next version.
So that the people who just stole it don't achieve parity.
So that they're not even.
They could go to some other government contractor, because of course, you know, the one in question
just lost everything.
But they actually most likely won't.
And here's probably why.
The initial contract for very expensive research efforts can take a long time to put in place.
You're talking over a year.
Sometimes.
Longer than ‑‑ you know, sometimes you measure it in years rather than months.
That was part of the coolness of CFT is that we were measuring that in days.
Imagine if you're under something ‑‑ sequestration is what we're under now.
It can take even longer.
So if a government agency wanted to start a new program to replace tech, so that's
essentially starting the same program to do the same thing that you were already paying
somebody to do, A, it's tough to get permission to do that, because you've got to go justify
taxpayer money.
I'm like, we just gave you that.
We gave you the money to do that.
And B, when you spin it back up, you're going to have to redo a lot of work.
You're going to have to redo the contracting that you already had in place.
You're going to have to spin people up to speed on management side.
You're going to have to re‑spin up the tech side.
And you've spent years putting that in place.
So why wouldn't you just go back to the people that you already have a relationship with,
already have a contract with, they already know what they lost, or, you know, maybe you
know what they lost and stuff, and you can tell them, because they're your customer.
So you just pay them to give you the next thing.
Remember, they're not financially incentivized to go fix how they were actually compromised
in the first place or clean it up.
Because staying with a really familiar solution or situation is comfortable, which makes us
a trap that a government funding source can actually be particularly susceptible to.
You can view this on a case‑by‑case basis and kind of staying with the same contractor
could even make sense.
But if you step back and listen to what's been talked about in the media, you may see
something that's a larger picture that seems like an endless list of technologies and
IP being stolen.
And each time it happens, that company is in a situation where, A, there's really no
penalties or reprimands for it.
And on the contrary, they're actually rewarded with more funding.
So because their customer needs to make the next text to replace the stuff that just got
stolen, to replace the stuff that just got stolen, to replace the stuff that just got
stolen.
So yeah.
Game theory is a bitch because if you look at it at this angle, and part of the neat
thing about game theory is you can fall into game theoretics without realizing that you're
doing it, government contractors can actually be in a situation or are actually in a situation
that they're financially incentivized in some places not to listen to their network
sysadmins and not actually to really deal with the problem, perhaps the way with the
drastic changes that need to be made.
The four A's.
Fourth and kind of closing story, and maybe I'll do a fifth story about Barnaby Jack in
Abu Dhabi.
Yeah, I think I'll do that.
The fourth story.
Sorry, I just mentioned Barnaby Jack and I just started getting a little teary.
I think I might stick with just the fourth story, then.
Fourth story closing is more of a kind of plea to both the government communities and
the hacker researcher communities.
Because from the beginning, I've been a hacker researcher.
That's the vantage point of both.
I don't have a lot of examples of our community, the hacker researcher community, really reaching
out in a proactive and positive way to educate and enlighten the government.
We do it, but we do it really ad hoc.
And I think we need to try a little harder to do specific examples.
I've been a little upset about some of the things in the news lately.
And actually, one of your options, it is a scary option, is to actually go inside and
try and fix them there.
People will fight you tooth and nail.
It is not for the faint of heart.
That's actually what I did when I went over to DARPA.
I didn't go there because I thought it was cool.
I didn't go there because I wanted to be a part of the government.
I actually went there because I thought that they and other parts of the government had
kind of lost their way.
And I had an opportunity to go in and fix it.
I did get a really nice unofficial e‑mail from somebody recently, and it was about CFT,
which makes me think that ‑‑
We, actually, because you guys were all a big part of that, did manage to pull some
of that off.
So I'm going to quote from this e‑mail I got to my personal account.
And the person said, I recently had a meeting with all the agencies and DOD services, and
listening to them, it was my turn to be terrified because of how out of touch with reality they
were with cybersecurity and cyber defenses, and it made me realize how much I and the
DOD owe you ‑‑ and that's us ‑‑ for cyberfastness.
And here's the part where I was really happy.
I thought CFT was showing the government how they should be doing contracting, but now
I actually understand what you were doing.
It was showing the government what the real state of the art is, why they should be afraid
of people on the inside who continue to just preach the status quo and throw money at the
same problems the same way they have done before.
So that was actually pretty cool, because somebody ‑‑ they're starting to realize
that.
And I've heard people at high levels.
Flag officers, a couple pockets were starting to refer to hacker researchers as, you know,
researchers.
It was hacker equals researcher, not hacker equals criminal.
And I thought that was really cool.
It's not saying that we should go all in and support the DOD.
And I'm not telling you you should like the DOD.
I've got a lot of issues with the DOD.
I will continue.
I'm sure they've got a lot of issues with me.
This talk might even be one of them.
But what happens there is now that they know where some of the real ideas are, they're
going to try to reach out and tap into it in various ways.
And this goes back to an earlier story where they kind of projected their problems and
their images and their goals on somebody else.
So there's likely to be some uninformed and failed outreach efforts.
So I've got a couple of recommendations to the government that maybe will help with that.
So I think it's really cool.
When government officials throw on ‑‑ I don't know.
Blue jeans and a black T‑shirt because, of course, then they're part of our community.
But that's not necessarily all there is to interacting with us.
And it makes sense before you present at a conference like this that you should probably
consider attending one and actually interacting and getting to know the people.
There was one guy, there was a three‑star general who did that at ShmooCon.
And I thought that was one of the coolest things.
And he wasn't there for any agenda.
And I remember conversations.
With him afterwards, he actually had an understanding.
He was like, oh, this is awesome.
No, there's no way people should try and go in and mess with them or try and co‑op them.
I was like, yeah, exactly.
That's us.
That's the citizens.
That's the population of the U.S.
So the message to the other ones who haven't really made that turn is go and actually interact.
Now, the response I'd get was the schedule is too crazy.
You know?
You can't possibly do it.
And I saw those schedules.
And sometimes I was even on those schedules.
But if it's important enough, I know ‑‑ I know ‑‑ I acknowledge they are crazy
schedules.
These guys work like bears.
Which isn't to mean that they sleep for half the year.
Bad analogy as soon as I said it.
I was going to say like a swear word and bears came out instead anyway.
If it's important enough for you to want to reach out to a community, you've got to go
out and you've got to reach out.
got to make the effort and you've got to put it in your schedule and you've got to go interact
with them on a one‑on‑one level first because that's showing your homework and doing
your homework shows respect. The next suggestion to them is, and this is
what I try to encourage inside, is you can't go out and do a recruiting pitch because it
comes across really poorly. I used to get so bent out of shape when I would see a Govie
stand‑up at a hacker conference and I'm like, here it comes. We do awesome stuff but
we can't tell you anything about it. Trust us. You with the mohawk, if you shaved your
hair, put on a suit, maybe even a uniform, stop smoking dope, you can come work for us
and do something with your life. That's how I interpreted it. Now, that might not be the
message. It might just be a look, we need help and we're trying to reach out to you.
But it's just a take, take, take sort of message. What can you do for us today? What can you
do for us today? What can you do for us today? What can you do for us today? What can you
do for us now? And, you know, to me it was offensive.
What would it be like if you had a senior official from a very technical agency come
out and actually give a technical talk? Because this is a meritocracy. That's where this community
came from. A meritocracy is your value in the community is based upon how much you contribute
to that community. And that's one of the reasons why I was really happy that ‑‑ because
I know a lot of people are like, why the hell did Mudge go over and go to the DOD? He
was one of us. Now he's one of them. And I had spent 15, 20 years contributing to this
community. And I wasn't about to stop. And when I was there, I was able to actually
fight for this community and try and make sure that the interactions were a little bit
better and that, you know, we were treated and engaged with normally. And those 10, 15
years of contribution gave me enough grace period, you know, to build trust up again
again, on both sides. And you've got to do that. And you do that by interacting with
people. So the value of somebody in one of those agencies coming and giving a technical
talk wouldn't be that you learn something really cool about how SELinux was actually
done and why it was done or what the internal battles were to get it across. It wouldn't
be that somebody is going through the technical components of one of the patents, one of the
numerous patents that are out there, you know, let's say IP geolocation, the ones that
we've read about. It would actually be that they're engaging us and interacting with
us in our own language and treating us as peers and starting a dialogue.
So I think I will give the Barney Bee one after this. But I'm going to summarize this
one here. Am I telling us ‑‑ you know, am I pleading that we should not challenge
the government? Absolutely not. I think challenging the government is your patriotic duty as a
citizen. I think it is very important to do.
It's painful for both sides, but it's something that has to happen and that's why we're such
a great nation.
We also need to ‑‑ I mean, you can't train a dog just by repeatedly beating it.
I mean, it will learn some stuff, but it will probably learn stuff that you weren't intending
and it will bite you at some point.
So when you see the dog do
something good, it's nice to give it a treat. And there are certain little pockets inside
the government. And one of the things that I think that we as a community can do better
is, yes, we need to challenge the stuff that we're seeing. We need to challenge the things
that are in the news. But if you see a small pocket of hope, like if you see a Congresswoman
that's helping put through Aaron's Law, you know, Kate, you know, if you see a Congresswoman
that's helping put through parliament—I have lost half of my seat seat blah blah, blah, blah,
O' Me?
Me.
O' Yeah.
Right.
O' Yeah.
FAA, we need to support them. We need to help them. We need to encourage them for actually
going ‑‑ because they're going to get a lot of crap thrown at them. And they're
actually doing the right thing. And there's not a lot of people supporting them. So we
need to be more vocal as a community to actually support them.
There was a colonel in the Army who managed to get the NSA to have to include Little Brother
as a book that they read as part of their training. Have you read Little Brother, Cory
Doctorow's? That's awesome. That helps sensitivities. That guy caught a lot of crap for that. And
it was really cool. I mean, there's nothing wrong with that book. That book gives you
a new way of looking at things. And the more ways you have of looking at it, the more understanding
you have and the more positive outcome. That guy is also ‑‑ he's a colonel. He's
over at West Point. His name is Greg Conti. I'll call him out. He was one of the people
who encouraged the cadets to actually go out and talk at our conferences and contribute.
So the U.S. Department of Defense, the U.S. Department of Defense, the U.S. Department
of Defense, Build Your Own UAV at a 99.99% discount by Mike Wiegand was an example of
that. And that's engaging. And that's actually sharing. And it created dialogues.
At ShmooCon, he and his colleague walked through their training course that they ran
at Fort Meade to try and socialize folks. It was Lessons of the Kobayashi Maru. I highly
recommend you go watch this talk. Because he had to teach them how to cheat. And I
think he was very interested in that. So he wrote a book called The
And he wrote a book called The Good Behaviorist. And it's hilarious and it's insightful and
it's humanizing. Most importantly, it's humanizing.
So where we see those pockets of hope and of outreach and of engagement, I'd just really
like to ask all of us to try and figure out a way, for each time we're challenging something
something else to try and encourage the good behavior.
Okay. So let me try and give my Barnaby one without actually breaking down into tears
here. See if I can pull myself together. It's a real quick one, but it's my little tribute
to him. Because there's two things that happened, interactions with Barnaby, that I'll always
remember. I mean, I remember all of the interactions, but two really stand out. One was a talk.
I was on the steering committee of NDSS and they asked me if I could bring in some folks
to run some demos that would kind of break the academics out of the academic mold and,
you know, what better people than Barnaby Jack when he was working with EI and the rest
of the EI team to actually come in. The problem is that the conference, you know, like a lot
of conferences, very cheap. They wouldn't pay them to come do the work or whatever.
So I said, all right, guys, you know, the drinking bill the night before is on me. I'll
just foot the bill myself. Which is a very, very good thing.
Very dangerous thing to do. Barnaby had a great time. I don't think they
went to sleep. They just kept drinking. They were on in the morning. And the audience at
NDSS I don't think actually really understood how cool the technology was that was being
demonstrated. Because this is almost ten years ago at this point. And Barnaby was remotely
compromising a wireless router, replacing the firmware and then trojaning the Microsoft
updates that were going through it over the wire before they were delivered to the NCI.
They were demonstrating a boot route where they were getting an Ethernet ‑‑ so a computer
that was told not to boot off the network, the Ethernet adapter was on the PCI board
so it had direct memory access and it would still emit a boot P packet and if you responded
to it, the Ethernet board would actually shove it directly in memory and boot from the network
even if your BIOS didn't have that capability.
So, of course ‑‑
Of course, they would say, here is your base operating system, as a little hypervisor,
and then of course the operating system would load up on top of this.
This is a decade ago.
This was awesome.
And the reason why I don't think any of the audience actually caught the technical part
of those talks is because Barnaby nearly threw up on stage ten times in the middle of trying
to give that talk and everybody in the first row was terrified that they were at some
perverse form of a Gallagher hacker show.
And then the other thing I remember about Barnaby was I had just gone in and I was working
for DARPA and my first public speaking engagement as a U.S. official was in Abu Dhabi.
So here I am, first time, the government is a little nervous about me, I'm a little nervous
about them.
I'm flying under my—
MR.
Yeah.
—government official passport, not my blue tourist passport.
So all the coordination between the countries, that I imagine has to go on with those folks.
And I'm in Abu Dhabi and it was actually to do the keynote for Black Ad, it was the
first year they were over there, and it was the first time ever that I was showing parts
of the cyber analytic framework that I drove at DARPA, and it was my way of trying to get
a small group of peers that I could interact with and get feedback and just talk honestly
and like, does this make sense or, you know, am I full of crap.
And Barnaby was there and the gruck is there.
And those are two people that put together, you know, that will deplete the world's alcohol
supplies.
And he was doing his jackpotting ATM machines.
Now the UAE has a lot of money they've come into since the 70s.
And in the palace there is an ATM machine that dispenses gold bars.
MR.
Yeah.
And they're very expensive gold bars.
Not like you've got like a $200 withdrawal limit.
I mean, these are in the tens, if not hundreds, I can't remember how high up the price was.
There might have been the ability to withdraw a million dollar gold bar from it.
And some of you might have seen the picture of Barnaby kind of going like that, you know,
right next to the thing.
So Barnaby's had a few drinks.
And they see the gold ATM machine.
MR.
Why?
MR.
You know, so why do you think it works?
And they're peering behind it.
And the folks who are, I think it's the son or one of the relatives of the Crown Prince
who I knew from a prior life, is looking at me going, what's going on?
And they're all starting to gather around the gold ATM.
And I forget who it was that tweeted and said, I remember Barnaby and the UAE and having
to go to the State Department to basically ‑‑ or not the embassy, calling the embassy to
make sure everything was okay.
MR.
It wasn't the embassy.
It was me.
Having to go over and talk to, you know, people who are part of the Court of the Crown
Prince and explaining, no, I know you're not used to extremely heavy drinkers.
And you just invited a bunch of hackers into your country.
And they've demonstrated a bunch of crazy, terrifying things.
And now they're eyeing your million dollar gold vending machine.
It's Barnaby Jack.
He's cool.
Don't worry about it.
I tell you what.
You know, you probably want to know if you're a million dollar gold vending machine.
Our gold vending machine has this problem.
So why don't you let them do a little bit.
And then when they walk away, why don't you pull the plug on the thing and then move it
off the floor.
And sure enough, everybody got a little tired because, of course, there's some research
that has to go into these things and the alcohol fueling only lasts so long.
And when everybody got a little tired and decided to walk away, the next day you see
there's this big curtain pulled around everything and nobody's allowed near the thing.
But, you know, so there was no reach out to the embassy.
There was no international incident.
But there was Barnaby Jack and he will be missed.
Thank you.
JOHN OVERHYDE.
So I'm John Overhyde.
.
JOHN OVERHYDE.
by just a very small subset of the CFT performers that were involved with Mudge's DARPA program,
Cyber Fast Track. So we want to take an opportunity ‑‑ hold on a second.
We really just wanted to get up here and thank Mudge for all of his efforts inside
DARPA with this program. We all had a lot of fun. You've seen some of the research that's
come out of it at DEF CON and Black Hat and there will only be more of this coming out
soon.
But we also want to thank him for his entire career from LOFT to DARPA and now onwards
to Google. I'm sure there's many more interesting things to come. So please give your strongest
round of applause for Mudge and everything he's done for the security community.
There's more. There's more. Don't go anywhere. We're not done.
So what we didn't mention is hopefully ‑‑ I'm going to say a few things about Mudge and
hopefully some other people that have participated in CFT will as well. My name is Joe Grand,
and I've known Mudge for a really long time.
I was in the loft back in, I guess we met in 1990.
I was like a 15-year-old punk little kid
and ended up getting in trouble for some things,
joined the loft,
and Mudge came in around the same time.
And he, I don't know if I ever told him this,
but he was one of my mentors growing up.
From that point, as a 16-year-old kid,
everybody else in the loft was older.
I sort of got to see the experience of somebody
that was like 6 or 8, I don't know,
how 20 years older than me, I don't exactly know.
He never actually told me his age.
But it was something that I got to sort of follow along.
I was in the loft, and it was a great experience,
and I sort of grew up in that from 16 to 22.
After we started that stake,
we sort of disappeared for a while.
Mudge went one way, I went another.
Some of the other guys,
sort of, you know, just disappeared.
And then he sort of surfaced, I guess, 2008 or 9,
and it was like all of a sudden,
Mudge is back, and he's in DARPA.
And I was like, holy shit.
Mudge is back, and he's working for the man.
And here I was, you know, grew up with him in the loft,
and there's a lot of stuff in the loft that you guys don't know.
And it was awesome.
And, yeah, I mean,
I didn't know Mudge was in DARPA.
I didn't really know what to think.
I was still involved in DEF CON and the hacker community,
and it was just, to me, seeing that,
I was like, wow, that was a big jump,
and that takes some serious balls to do that.
And I could never imagine doing that.
And I think everyone was like, what's going to happen?
Like, what's he actually going to do out there?
So it turned out to be an amazing thing.
You know, CFT happened,
and a huge number of my friends ended up doing all these projects.
You know, Charlie Miller had two projects in CFT,
and I was like, how is everybody doing all this?
Like, I want to do a project for CFT.
And I was running with Charlie one day,
and he's like, yeah, you should do it, man.
And, you know, Mudge has this whole thing wrapped up.
You just write a proposal, and he reads it,
and if it gets approved, they'll just send you money,
and you can work on stuff.
I'm like, really? Is it that easy?
He's like, yeah, do it.
And so that was last year.
So I was like, I don't know.
Do I want to work for Mudge again?
Like, that's going to be really weird.
Like, we were in the loft, and I don't want him to be my boss.
For real, this was his hugest complaint.
I'm like, they'll give you money.
He's like, I don't want to work for Mudge.
Yeah, so.
But he's like, it's not working for Mudge.
You know, some other group takes care of it.
So I'm like, all right, cool.
And I thought it was just a great thing that he was doing.
So I submitted a project that got rejected.
And I'm not sure I'm allowed to say this,
because I don't know if it was part of the official process,
but he called me up.
Like, I submitted the proposal, and like 15 minutes later, he calls me.
He's like, I need to talk to you in person about this.
I don't want to do it.
I just want to send you an email.
So he explained the process to me.
I'm like, all right, that's cool.
Too much engineering, whatever.
It didn't fit the DARPA thing, the CFT thing.
I'm like, okay, that's fine.
But it sort of drove me to like, I was like, I got to get a CFT in.
All my friends are doing it.
It's like, I got to take advantage of this while I can, man,
before it goes away.
So eventually I got one in, and I'm still working on it right now.
And it occurred to me that it's not that you can like,
you're doing this project.
You're doing this project to make money, right?
You're not doing a job to make money.
It's the fact that you're able to get money to do what you want to do.
And, you know, you do what you love to do, and you're not losing money,
is sort of what it is.
And that's sort of what we tried to do at the loft, is like,
do what we want to do and not lose money,
but make sure that we can keep kind of pushing things.
So I don't know.
I just wanted to say that.
I don't know if you noticed on the back.
Could someone turn around?
On the back of these shirts, it says,
making the theoretical practical since 1992.
And I don't know how we came up with that.
But that was one quote that we talked about, you know,
writing exploits and kind of showing vendors, like,
look, this is a possibility.
But the one that isn't on the back of this shirt is what we always used to say
about making a dent in the universe when we were at the loft.
I think Mudge actually came up with that.
So, you know, we'd be in interviews and news stuff and press,
and Mudge would always say, we're going to make a dent in the universe.
And I was like, yeah, yeah, yeah.
You know, I said it.
But I was like, that's total bullshit.
Like, how are we going to make a dent in the universe?
We're like seven guys with, you know, he had long hair, as you know.
And seven guys in a warehouse.
Like, how are we going to actually make a dent in the universe?
Other than in the hacker community, that's like a small, that's not the universe.
That's our universe, but it's not the universe.
But he actually believed it, you know.
And I was sort of like, I was going along with it.
But he believed it, and it didn't actually hit me until he got to DARPA and did CFT.
And it's like, holy shit, he did make a dent in the universe, you know.
Like.
But that, what he did in the work that came out of CFT, like, totally changed the world.
Whether it's immediate or whether it's later, it changed the government.
It changed the thought process.
It's amazing.
So I just wanted to personally thank him and welcome him back out of working for the man,
back into, like, the normal world.
So thanks.
I do also have to say that Charlie is responsible for probably 70% of the CFT.
I had a very similar phone call with him, I don't know, a couple of years back.
I remember distinctly.
And, you know, people have a very interesting opinion of what it's like to participate in any sort of DARPA or government grant.
And, you know, speaking with Charlie and learning about the streamlined process and the kind of low overhead it takes to get a grant through and actually get funding to, again, do what you want to do was very attractive.
So I think this program.
This program itself was wildly successful alone, but I think it's also changed a lot of our personal views about dealing with the government.
I hope that can continue with CFT, with the next program manager.
I would also say that Bitsys, are there any of the Bitsys guys up here?
So Bitsys helped run the program for DARPA.
So we'll all give them a round of applause ourselves because they were great to work with.
You know, I hadn't registered.
I've served for DEF CON in over 20 years, which brings some perspective, and I've known this guy for a very, very, very long time, and he always wanted to be something greater than the average bear and to change things.
And I don't know if he'd mind me saying this, but I'll say it anyway.
Back in the day when his hunger was great, he asked me to take over Loft, which is probably a bad idea for a variety of reasons.
But.
I had faith in him that he is going to figure it out, and he did, and I've worked for him now for the last couple of years, and unfortunately, I've been fired by him because the program's ending, but congratulations, guy, you really did good.
Thanks, Dan.
Thank you.
I just want to say something super quick.
We're hackers, and we're individuals.
And we hate anyone speaking for us, but Mudge is pretty much the only guy that I'll let speak for me anytime he wants.
